For those of you who speak French, are learning French, think French sounds cool, or those who think French sounds stupid but funny, you might be interested: I’ll be live on Friday evening (10PM French time, that’s UTC+1), discussing with Mathieulh (PSP/PS3 Dev) in a show hosted by PspGen’s famous webmaster Magixien. Additionally, Wii dev Arasium might join us too.
We will be discussing about the recent events on all gaming devices, hacks, piracy…
It will be 6AM for me here in Japan on Saturday morning, so if you want to hear my voice when I just woke up and I’m completely lacking sleep, this might be a once-in-a-lifetime opportunity for you
Things are going very fast. For those who are just joining us: until now there were basically two solutions to run homebrews on a PSP. Either you had a hackable PSP on which you could install a “Custom firmware” (CFW), or you owned one of the new models (basically every PSP that was sold since summer 2008), and had to rely on some “exploits” such as the Patapon exploit, which was used to run HBL (a homebrew loader), and later on a HEN (Homebrew Enabler).
CFW or HEN, that was basically the choice we had so far to run homebrews.
Then came fail0verfl0w, and Mathieulh. A group of developers found a critical security issue in the PS3 system, which led to a full analysis of the PS3 firmware, in which some keys used for PSP Game encryption were found. After a few weeks of hard work involving many developers, tools started to emerge. I’ll spare the details for now, but it is basically possible to sign your own games (I’m talking here about games you created, not games you get on the PSN), and run them directly on a PSP without any “classic” hack, or without a Custom Firmware.
Yeah, we're superheroes, you love us
In the video below I’m showing Wagic running on a 6.35 PSP3000. Note that I cold reboot the console, to show that no exploit is running there.
The tools to sign your homebrews, although not entirely user friendly yet, can easily be found with our friend google (and if not now, tomorrow they will be). I used prxEncrypter by bbtgp and fix-relocations by JJS.
These signing techniques still rely on some external data, and Sony could probably fix this in further firmwares by creating a whitelist of allowed Eboots. Will they actually do it, or are they now focusing on the PSP2? For now, this is only user mode (yes, liquidzigong did sign his Hen, but this Hen still relies on a kernel exploit to work, and that’s easy to fix…), which should keep us away from any form of piracy, at least for now (and, alas, from plugin support or CFW as well)
This assumes you have access to your homebrew’s prx. If you only have the EBOOT, you can extract the prx with pbp unpacker (data.psp == your prx)
if your prx has relocations type 7, run fix-relocations on it (fix-relocations mygame.prx) (if you don’t know, run that anyways, it shouldn’t hurt)
run PrxEncrypter on your prx (prxEncrypter mygame.prx)
run pack-pbp the way you usually do it in a makefile (pack-pbp EBOOT.PBP PARAM.SFO icon.png NULL pic0.png pic1.png NULL data.psp NULL )
That’s it
There are still lots of limitations (no kernel mode, prx should be less than 5MB, no static elf support,…), but tools are being progressively built to make this easier, so I’m sure that as I type this, more convenient tools will already be available. I spotted some tools that allow to sign static elfs by embedding a loader inside of the eboot.
Update 2: Initial tests show that this works with very simple homebrews, but not with more “complex” ones (yes, I tried with Wagic). Just keep in mind how HBL started though
Update 1 : bbtgp slightly updated his package to make it more user friendly. He says: ” modded build.mak and included sample. Set ENCRYPT=1 in the makefile for other programs to encrypt them”
After the Proof of concept released yesterday by kgsws, developer bbtgp just released a tool that can sign any Homebrew for the PSP.
I haven’t tested it yet, but I’m sure many people will give it a try and see if we can finally run any homebrew on OFW without the use of a Custom Firmware. Unless I misunderstood something, this is user mode only, I don’t expect this to run any kernel application, so forget about iso loaders, or a “signed CFW” for now… which is probably good anyways.
According to bbtgp, this has been tested on a regular “hello world” prx, and worked fine on both a psp1000 and a psp3000.
Developer kgsws (remember the MOHH exploit?) posted on/talk a few hours ago a homebrew that runs on a PSP without “any” hack. This is the results of days of experimenting with the PS3 Firmware, in which keys used for signing PSP applications were discovered by Mathieulh.
Here ‘s a video from psp-hacks.com (yes, I’m lazy)
This is only a proof of concept for now, we can’t be sure if a “sign your own homebrews” tool will be released any time soon, but this is a major breakthrough for the PSP scene, probably as ground-shaking as the Pandora batteries almost 4 years ago…
The homebrew has been confirmed to work on PSPs with Official Firmware, you can download it here to test.
Congrats to all the devs involved in this (I said it already, but I’ve never seen so many devs in one thread)! And please don’t post that “it works” in the programming thread, we will delete posts that are not directly related to development.
Thanks to everyone who sent me the tip, I was on holiday
Developer neur0n released yesterday what seems to be a 6.35 CFW, which he updated to version “beta 2″ a few hours ago.
I says “seems” because I wasn’t able to test this. According to neur0n this works only on PSP2000 models for now (and I don’t have a PSP 2000), the files don’t ship with any Readme, and my Japanese is broken enough that I’m not entirely sure about the usage. Nevertheless, the sources (mamosuke’s website and Neur0n’s twitter) are trustworthy, so I’m posting this for the people brave enough to give it a try.
Neur0n insists that this is a Beta version, and that you shouldn’t use it if you don’t have a pandora battery handy. This will only work on hackable psp 2000 models. If you have a ta88v3 or any other model (psp1000, psp3000, pspgo), do NOT attempt anything with this. This is a full custom firmware, so if you install this on an unhackable motherboard you will get a permanent brick.
If you’re brave enough to figure out how to install this and test this work in progress on your hackable psp2000, please show us some videos
coldbird is right, a downgrader “isn’t” possible. He is talking natively, mine hooks into the decryption routines to allow it
That makes sense. Thanks to Matt for the tip.
Original article 01/09: According to Coldbird, one of the developers of Hen PRO 6.35, Sony removed the possibility to run old updaters in firmware 6.35. He stated that it is not possible to downgrade from 6.35.
No you can’t downgrade. In fact this isn’t even a problem with 6.35 PRO, but with Sony.
Sony removed Updater Kernel Module Support for old Kernel Updaters in 6.35, so… once you go 6.35 – you don’t go back.
That’s it basically.
That being said, downgrading is IMO a thing of the past. We used downgraders back in 2006 when Custom firmwares where just a concept. Today tools such as the TN Hen or Hen Pro are closer to a Custom Firmware (I like to call them “Light Custom Firmware”) than actual Homebrew Enablers, as they ship with lots of features that used to be exclusive to Custom Firmwares (recovery menu, plugins support, etc…). So nowadays there’s no real need for people to downgrade unhackable motherboards…
A few days ago, team of developers fail0verfl0w revealed major issues in the security system of the PS3. This was quickly followed by major discoveries in the PS3 code, that seemed to mostly show that Sony was relying way too much on obfuscation for the security scheme of the PS3. One of the consequences of this was also the discovery of some critical information regarding the PSP security.
Independent devs all around the world started releasing their own tools to go further in revealing the PS3 internals.
After being quiet for many days, Sony said in a short statement to technological website Edge:
“We are aware of this, and are currently looking into it. We will fix the issues through network updates, but because this is a security issue, we are not able to provide you with any more details.”
Given the details of the security flaw, which basically gave away the entire signing/encryption mechanism on the PS3, including parts that cannot be updated by a simple software update, the statement by Sony is really surprising. Are they trying to mitigate the buzz around this hack?
That being said, it isn’t impossible that Sony revoke some of their keys to play some cat and mouse game with hackers…To me the best move would be something similar to what is done with the XBox: ban people who use a hacked console online. This way hackers can still have fun offline with the hardware they purchased, while normal players still enjoy a good gaming experience online…
Meanwhile, team fail0verfl0w showed a new video of Linux booting on a PS3 (see below), Geohot showed homebrew running on firmware 3.55 (see below), the PSP Eboot signing announced by MathieuLH seems to get closer, and KaKaRoToKS released a MFW for the PS3 (Modified FirmWare)… seems like things are moving really fast on the PS3/PSP development scene.
A few weeks ago, developer Jeerum released a game exploit for the Demo of the game “minna no sukkiri”. At that time he announced he would be releasing more of his game exploits “for the sake of it”. Jeerum keeps his word and released a “Hello World” and a binary loader for the Game Carol Vorderman’s Sudoku.
Credits go to Jeerum for the exploit, as well as N00b81 and npt, for help with the code and beta testing respectively.
Download and more info can be found in Jeerum’s release thread , although I must admit I’m completely confused regarding the usefulness of this release…
As most of you probably know, team Fail0verfl0w announced at the German Chaos Computer Congress that they completely broke the PS3 security, by finding the signing keys used by Sony on the system.
In clear words, they are able to sign content and have a (non hacked) PS3 believe this content is signed by Sony (and therefore the PS3 will run anything you want).
I have received many contacts from people asking me if this would have an impact on the PSP. After all, the PS3 is able to run (decrypt) some PSP games, activate PSP content (like Media Go), and overall there is such a symbiosis between the PS3 and the PSP that we can’t help but ask ourselves: “what if the PSP keys were also available on the PS3?”
For those who wonder what this means, well simply put: no need for any exploit, HBL, or HEN in the future, as we will (?) be able to run our homebrews directly from the XMB without any hack. That is, if Mathieu releases his code.
If you still didn’t get it, this is a major breakthrough, with an impact similar to the pandora batteries and the first CFW on the PSP
Warning: I want to add that console hacking teams do not work for money. People like MathieuLH or the team fail0verfl0w will NOT ask you for money in exchange for their work. If their work ever gets released, it will be available for free. Don’t get tricked by fakers (there are lot of fake failoverflow accounts on youtube apparently)
Almost a year ago I published a small chart giving a summary of the “hackability” of PSP based on the model and the firmware. Things have changed over a year, and with the recent announce of a 6.20 Kernel exploit (and associated HEN) by Total_Noob, they will probably change again very soon. But if you just bought a PSP, all the current possibilities are probably a jungle to you, and you are wondering what your options are. Here’s a quick chart with the current status:
Overall I think it looks way better than the chart a year ago, don’t you think? Below are details for each model.
PSP Phat and PSP2000 (except ta88v3)
If you own a PSP Phat (PSP-1000), or a PSP Slim (PSP 2000) that is NOT a Ta88v3, then your PSP, independently of its firmware, is 100% hackable with a pandora battery. It’s been the case for many months now, and it will not change as the exploit used for the pandora batteries is a hardware exploit and cannot be fixed with a new firmware.
PSP-3000 and TA88v3, Firmware 5.03 and below
If you are the unlucky owner of a “doomed” motherboard, but happen to have a firmware 5.03 or below, your PSP is “half-hackable” through the laughing man tiff exploit and the associated Homebrew Enabler, better known as “ChickHEN”. “half-hackable” means that your PSP can have all the features of fully hackable PSPs (homebrew, plugins, customizable themes, ISOs,…), but unlike fully hacked PSPs, if your hard-reboot your PSP, you’ll have to run the hack again. (For those who still don’t know, putting your PSP in sleep mode works fine and is the best thing to do to keep the HEN in Ram)
PSP-3000, PSP Go and TA88v3, Firmware 5.05 up to firmware 6.20
Half-Byte Loader allows you to run most homebrews on these models, through a vulnerability in the Patapon2 Demo. Additionally, Total_Noob announced yesterday that he was working on a HEN for these models. A HEN will basically bring you most features a Custom Firmware can have, but you’ll have to be patient (like the rest of us).
PSP-3000, PSP Go and TA88v3, Firmware 6.30/6.31
Half-Byte Loader allows you to run most homebrews on these models, through a vulnerability in the Hots Shots Golf game. Total_Noob’s HEN is not planned for these firmwares, but he mentioned that a downgrader to 6.20 might be doable. There’s still goog hope to get kernel access on these firmwares in the foreseeable future.
Vocabulary
Homebrew: User made (non official) applications. These include games such as Wagic, utilities, emulators… ISO: In the PSP world, digital copy of a game, most of the time unencrypted, preventing it from running on an Official firmware. ISOs are often associated to game piracy. plugin: Homebrews that are loaded in the Ram of the PSP to extend its functionalities. For example, the music plugin allows to play MP3s while playing a game or a homebrew on the PSP. HEN: Homebrew ENabler. A program that patches the PSP Ram to allow running unsigned code (Homebrews). unlike eLoader, a HEN is in the Ram and therefore doesn’t require to be launched everytime you want to run unsigned code. To do this a HEN usually requires a Kernel exploit. TA88v3 :A Model of Motherboard that was introduced on the PSP2000 in summer 2008. It fixes the vulnerability used by the pandora batteries. Several techniques exist to identify your PSP Motherboard. If you have a PSP 2000, the easiest way to identify if it has a “doomed” motherboard is to try a pandora kit (battery + memory stick) on it.
Do you appreciate my work? Since 2008 I’ve been providing quality news, free tools and high grade homebrews for PSP owners who want to unleash the full power of their hardware, and I plan to do the same for the PS Vita. If you like my work and are an Amazon shopper, please consider using the links below. It won’t cost you anything more, and I will get a small percentage of the sales.Thanks for your support! Amazon.com
For those of you who speak French, are learning French, think French sounds cool, or those who think French sounds stupid but funny, you might be interested: I’ll be live on Friday evening (10PM French time, that’s UTC+1), discussing with Mathieulh (PSP/PS3 Dev) in a show hosted by PspGen’s famous webmaster Magixien. Additionally, Wii dev Arasium might join us too.
